Currently, I have:
$("#upvote").click(function(){
var up = parseInt(document.getElementById('voteScore').innerHTML);
up++;
document.getElementById('voteScore').innerHTML = up;
$.ajax("include/mysql_lib.php?op=upvote&v1=<?php echo $id; ?>");
});
There are two problems I have this with. First, I’m using GET to send variables, which makes me nervous. Secondly, the mysql_lib.php script is right there in my web root. I would much prefer having it in my hosting provider’s protected directory instead of public.
Is this possible?
If you want to make requests to a web resource, it needs to be publicly visible somehow, no way around that.
You need to make sure that there’s nothing one can do with
mysql_lib.phpthat is destructive, likeop=deleteor something, and there’s no way to arbitrarily access resources one is not supposed to see (like by changing theidparameter).Also, to avoid gaming, you may want to impose some limits on how often a resource can be upvoted from a single client (that’s a complex issue though; there is a lot of good reading on it here on Stack Overflow.)
Whether you use POST or GET doesn’t make a difference security-wise, but using POST would be more fitting, as you are changing state on the server. You can use POST with jQuery’s Ajax.